Twitter passwords obtained by Russian hacker

In light of the news that the Russian seller, who goes by the name of Tessa88, claimed in an encrypted chat to have obtained Twitter’s database. This includes email addresses, usernames and plain-text passwords. Tod Beardsley, Security Research Manager at Rapid7, has commented:

While the credentials themselves appear to be real, the details provided by LeakedSource indicate that the usernames and passwords are sourced from end users rather than from Twitter itself. Specifically, it appears that the credentials were harvested from individual browsers password stores, which is troubling.

We often recommend people save their passwords off in dedicated password management systems such as KeePass, 1Password, or LastPass. It’s just too easy for malware to pick up credentials stored in the default browser password stores as these databases usually lack appropriate access controls.